Avoid reparse issues with non-special URLs

notriddle · notriddle · commit a9c7af57245f · 2018-12-11T21:52:43.000Z
This is a willfull violation of the URL specification for serialization. It retains spec-compliance for parsing, it aligns with the behavior of Microsoft Edge, and it "fixes" an acknowledged specification bug. See whatwg/url#415 Fixes #397
diff --git a/src/lib.rs b/src/lib.rs
@@ -1035,12 +1035,21 @@ impl Url {
     /// # run().unwrap();
     /// ```
     pub fn path(&self) -> &str {
-        match (self.query_start, self.fragment_start) {
+        let path = match (self.query_start, self.fragment_start) {
             (None, None) => self.slice(self.path_start..),
             (Some(next_component_start), _) |
             (None, Some(next_component_start)) => {
                 self.slice(self.path_start..next_component_start)
             }
+        };
+        // Disambiguating a path that starts with "//" from a URL with an authority may require
+        // the serializer to insert a disambiguating marker to the start of the path.
+        // When deserializing, "/./" is supposed to be reduced to "/", so avoid exposing it to
+        // the application.
+        if path.len() >= 3 && &path[..3] == "/./" {
+            &path[2..]
+        } else {
+            path
         }
     }
 
diff --git a/src/parser.rs b/src/parser.rs
@@ -1057,6 +1057,17 @@ impl<'a> Parser<'a> {
                         }
                     }
                     if ends_with_slash {
+                        // This is a willfull violation of the URL specification for serialization.
+                        //
+                        // It aligns with the behaviour of Microsoft Edge,
+                        // it does not affect the result of parsing (that's still compliant),
+                        // and it's necessary to make URL reparsing idempotent.
+                        //
+                        // See the specification bug at https://github.com/whatwg/url/issues/415
+                        if !*has_host && &self.serialization[path_start..] == "/" {
+                            self.serialization.push('.');
+                            self.serialization.push('/');
+                        }
                         self.serialization.push('/')
                     }
                 }
diff --git a/tests/urltestdata.json b/tests/urltestdata.json
@@ -6144,5 +6144,20 @@
     "pathname": "/test",
     "search": "?a",
     "hash": "#bc"
+  },
+  "Found by fuzzing",
+  {
+    "input": "a:/a/..//a",
+    "base": "about:blank",
+    "href": "a:/.//a",
+    "protocol": "a:",
+    "username": "",
+    "password": "",
+    "host": "",
+    "hostname": "",
+    "port": "",
+    "pathname": "//a",
+    "search": "",
+    "hash": ""
   }
 ]

Original file line number	Diff line number	Diff line change
`@@ -1057,6 +1057,17 @@ impl<'a> Parser<'a> {`
`1057`	`1057`	`}`
`1058`	`1058`	`}`
`1059`	`1059`	`if ends_with_slash {`
	`1060`	`+ // This is a willfull violation of the URL specification for serialization.`
	`1061`	`+ //`
	`1062`	`+ // It aligns with the behaviour of Microsoft Edge,`
	`1063`	`+ // it does not affect the result of parsing (that's still compliant),`
	`1064`	`+ // and it's necessary to make URL reparsing idempotent.`
	`1065`	`+ //`
	`1066`	`+ // See the specification bug at https://github.com/whatwg/url/issues/415`
	`1067`	`+ if !*has_host && &self.serialization[path_start..] == "/" {`
	`1068`	`+ self.serialization.push('.');`
	`1069`	`+ self.serialization.push('/');`
	`1070`	`+ }`
`1060`	`1071`	`self.serialization.push('/')`
`1061`	`1072`	`}`
`1062`	`1073`	`}`